[PATCH net] net: stmmac: fix the crash issue for zero copy XDP_TX action

[Wei Fang]

> On 2025-12-17 at 18:19:19, Wei Fang (wei.fang at nxp.com) wrote:
> > > > -	res = stmmac_xdp_xmit_xdpf(priv, queue, xdpf, false);
> > > > -	if (res == STMMAC_XDP_TX)
> > > > +	/* For zero copy XDP_TX action, dma_map is true */
> > > > +	res = stmmac_xdp_xmit_xdpf(priv, queue, xdpf, zc);
> > > 	Seems stmmac_xdp_xmit_xdpf is using dma_map_single if we pass zc is
> > > true.
> > >         Ideally in case of zc, driver can use
> > > page_pool_get_dma_addr, may be you
> > >         need pass zc param as false. Please check
> > >
> >
> > No, the memory type of xdpf->data is MEM_TYPE_PAGE_ORDER0 rather than
> > MEM_TYPE_PAGE_POOL, so we should use dma_map_single().
> > Otherwise, it will lead to invalid mappings and cause the crash.
> >
> >
>  ACK, found below code bit confusing
> 		case STMMAC_XDP_CONSUMED:
>  			xsk_buff_free(buf->xdp);
> +			fallthrough;
> +		case STMMAC_XSK_CONSUMED:
>  			rx_dropped++;
> 
>      Ideally in case of STMMAC_XSK_CONSUMED, driver needs to call
> xsk_buff_free.
>      And in case of STMMAC_XDP_CONSUMED, driver needs to call
> xdp_return_frame.
>      May be you can move all buffer free logic to stmmac_rx_zc with above
> suggested
>      changes.

For zero copy, the xdp_buff is freed by xdp_convert_buff_to_frame()
when converting the xdp_xdp to xdp_frame. So STMMAC_XSK_CONSUMED
means the xdp_buff has been freed, it tells stmmac_rx_zc() no to free a
xdp_buff that has been freed.

I have added a comment for STMMAC_XSK_CONSUMED, see

+       } else if (res == STMMAC_XDP_CONSUMED && zc) {
+               /* xdp has been freed by xdp_convert_buff_to_frame(),
+                * no need to call xsk_buff_free() again, so return
+                * STMMAC_XSK_CONSUMED.
+                */
+               res = STMMAC_XSK_CONSUMED;
+               xdp_return_frame(xdpf);
+       }